Mû he 


Si 


i FBI Cyber Division 
Opera tion BOT ROAST 


y 3 ` B OM 
d 3 
pits ass. SIN 
e a m. ; : 
AJAN رر سپا‎ N 
eten AÑ j 
» = N 1 
ù û 
> BS ۷ ` i 
a 
"E 
» ^ s, á N 
H ER: r 
گے‎ e fh % ۴م‎ 7 
d ui Kv A VE 
1 - کو یں‎ d . 
CN (FE Hp N 
ok: Û N ñ - D A NS 
it û ف‎ P 
3 FEDERA AF 
> 4 E M dE 
3 % EM N n 
Û PSI ê A . A: 
N s 


— ` — eog1(@@mé@Ò@—eI1rr’roe». cpu 


M Introductions ۱ 
; aes Mitigation Strategy 
X Vic um: Notification Strategy 
X Press Ê Release/ Media Strategy 


X Closing Remarks 
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Answer: Botnet Task Force 


October 2006 


x Botnet Task Force 
discusses plans 
for a coordinated 
takedown 


x Multi-National 
takedown 


x Extremely 
difficult 


March 2007 


x FBI Cyber Division 
initiates National 
Botnet Takedown 
Operation 


X Operation BOT 
ROAST 

'j x Operation is small in 

| nature, 

approximately four 

(4) field offices 
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. Operation BOT ROAST: 
> Players 


x FBI 
× CART- Forensics 
x General Counsel 
x Internet Crime 
Complaint Center 
x US Department of 
Justice 


x Computer Crimes 
& Intellectual 
Property 
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Operation BOT ROAST: 
K= A Battlefield 


E 
Le 22 mitigation = Difficult 
N Coordination = = Challenging 
(6 million victim IP 
dddresses 

Thousands of fraud malware 
"Very little botnet C&C malware 
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x Public Awareness 
Campaign. PENES. 
x To disrupt and — — 
deter the Botnet 
. Underground - ET. 
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, 9ء‎ the 
Botherders 

X Show industry 
and law 
enforcement are 
joining forces 


.. Operation BOT ROAST: 
" N Mitigation 


Ê 7 / difficult task 


tsGoRe-focused on botnet crimes law 
<è nforcement could prosecute 

x Follow on botnet activity through 

follow-on investigations 


x Clähdestine meeting with industry 
to discuss strategy 


x Ongoing Operation 
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.. Operation BOT ROAST: 
Coordination 


x scheduled conference calls appx every 
three weeks. 


` x Two months scheduled to execute 
Opelintion BOT ROAST 


Office of Victim | 
Assistance 


Industry 


Cyber Division 


Media/Press 


ج٦‎ Operation BOT ROAST: 
viin Identification Notification 


i, How iv does one identify and notify 
sU he million victim IP addresses? 


1 sources to identify 
x {Resources to notify 
«Varying categories of victims 
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: “our Categories of Victims 


ernet Services Providers 
v Institutions 


p^ providers 
۳ Foreign Government 
x Foreign ISP 


Two Wave Process: 
Victim Notification 


x First Wave: 

x Provide IP 
addresses to 
potential victims 

x Organization 

` confirms it's a 
victim 

x Second Wave: 


x Provide victim | 
assistance | 


a with Industry 


| x Close coordination with National 
۱ Press. Office 


.. Operation BOT ROAST: 
Ongoing Operations 


x Continuing: 
x Victim Notification 
۳۲ Malware Analysis 
x Data 
Dissemination 
x Investigations 
x Prosecution 
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۱ Ri II 


۳ = Law 


nforcement 


AL 
E 5 3 
SEL ^u 
it ES 
! Fall ee 
7 
Ê ja 


FA 
| / û 


| سی ےر ا‎ clearly with brevity 
\ x Efisure all parties are participating 
x N x You: cannot please everyone 

x Keep i it epi | 


Operation BOT ROAST 


Botnet Initiative National Takedown 
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July 12, 2007 
BOTCON 6 
Sydney, Australia 


